LDAP Injection

2015-10-17T19:41:46
ID NODEJS:18
Type nodejs
Reporter Jerome Touffe-Blin
Modified 2018-02-23T07:46:08

Description

Overview

Versions 2.3.2 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter.

Recommendation

Update to ldapauth-fork version 2.3.3 or later.

References

  • https://github.com/vesse/node-ldapauth-fork/issues/21
  • https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4